Categories
IT-Stuff

ssh with a yubiKey

use ssh key with yubikey and a challenge repsonse for your ssh connection as an extra layer of security

simple steps to get an extra layer of security on your ssh connection with a yubiKey and the challenge response and no server side tweaking

This sounds easy but 2 things are needed.

STEP1 check your needs to get this working

need 1 ssh version 8.2 or higher
need 2 firmware on yubikey 5.2.3 or higher

check for need-1 (ssh version / both sides host and target)

ssh -V

check for need-2 (firmware yubikey)

lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'

STEP-2 install libfido2-dev

apt install libfido2-dev

STEP-3 generate key (part of the new key, derived from a challenge response with the fidou2f will be on the hardware yubikey, so therefore you need to touch the key during this operation as asked)

ssh-keygen -t ed25519-sk -C "yubikey007"

STEP-4 copy the generated public key to the remote host

ssh-copy-id remote_username@remote_server_ip_address

Step-5 ssh in the remote server using the ssh key (and you will get prompted for the challenge response) that means you have to plug in the yubikey and touch it. The magic happens. Have fun!

Be aware ( if you dont’t have the (yubi)key your are not able to log in, also a backup of your SSH key is not working, because of the challenge response its just 1/2 of the ssh-key) If you want to have multi factor auth (not 2FA) on your ssh connection set a password when you generate the ssh-key. Remember if you destroy the hardware key, ore loose it the login is not possible, so be prepared for that scenario. Its a hostile world be prepared to fight.

Maybe these Links will cover some more information:
https://islba.co.at/easier-life-with-custom-ssh-config-file/
https://islba.co.at/disabling-ssh-password-authentication/
https://islba.co.at/4-step-setup-ssh-login-without-password/